CVE-2024-10464 - Vulnerability Details

CVE-2024-10464 - firefox: thunderbird: History interface could have been used to cause a Denial of Service condition in the browser

Repeated writes to history interface attributes could have been used to cause a Denial of Service condition in the browser. This was addressed by introducing rate-limiting to this API. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Mozilla	Firefox Firefox Esr Thunderbird
Redhat	Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:firefox:::::-:::*
	cpe:2.3:a:mozilla:thunderbird::::::::
	cpe:2.3:a:mozilla:thunderbird::::::::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7 Extended Lifecycle Support
firefox-0:128.4.0-1.el7_9	cpe:/o:redhat:rhel_els:7	RHSA-2024:8727	2024-10-31T00:00:00Z
Red Hat Enterprise Linux 8
firefox-0:128.4.0-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:8729	2024-10-31T00:00:00Z
thunderbird-0:128.4.0-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:8790	2024-11-04T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
firefox-0:128.4.0-1.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2024:8724	2024-10-31T00:00:00Z
thunderbird-0:128.4.0-1.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2024:9016	2024-11-07T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
firefox-0:128.4.0-1.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2024:8723	2024-10-31T00:00:00Z
thunderbird-0:128.4.0-1.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2024:9015	2024-11-07T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
firefox-0:128.4.0-1.el8_4	cpe:/a:redhat:rhel_tus:8.4	RHSA-2024:8723	2024-10-31T00:00:00Z
thunderbird-0:128.4.0-1.el8_4	cpe:/a:redhat:rhel_tus:8.4	RHSA-2024:9015	2024-11-07T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
firefox-0:128.4.0-1.el8_4	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2024:8723	2024-10-31T00:00:00Z
thunderbird-0:128.4.0-1.el8_4	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2024:9015	2024-11-07T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
firefox-0:128.4.0-1.el8_6	cpe:/a:redhat:rhel_aus:8.6	RHSA-2024:8725	2024-10-31T00:00:00Z
thunderbird-0:128.4.0-1.el8_6	cpe:/a:redhat:rhel_aus:8.6	RHSA-2024:9017	2024-11-07T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
firefox-0:128.4.0-1.el8_6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2024:8725	2024-10-31T00:00:00Z
thunderbird-0:128.4.0-1.el8_6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2024:9017	2024-11-07T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
firefox-0:128.4.0-1.el8_6	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2024:8725	2024-10-31T00:00:00Z
thunderbird-0:128.4.0-1.el8_6	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2024:9017	2024-11-07T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
firefox-0:128.4.0-1.el8_8	cpe:/a:redhat:rhel_eus:8.8	RHSA-2024:8722	2024-10-31T00:00:00Z
thunderbird-0:128.4.0-1.el8_8	cpe:/a:redhat:rhel_eus:8.8	RHSA-2024:9018	2024-11-07T00:00:00Z
Red Hat Enterprise Linux 9
firefox-0:128.4.0-1.el9_4	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:8726	2024-10-31T00:00:00Z
thunderbird-0:128.4.0-1.el9_4	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:8793	2024-11-04T00:00:00Z
thunderbird-0:128.4.0-1.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:9552	2024-11-13T00:00:00Z
firefox-0:128.4.0-1.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:9554	2024-11-13T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
firefox-0:128.4.0-1.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2024:8721	2024-10-31T00:00:00Z
thunderbird-0:128.4.0-1.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2024:9019	2024-11-07T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
firefox-0:128.4.0-1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2024:8720	2024-10-31T00:00:00Z
thunderbird-0:128.4.0-1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2024:8728	2024-10-31T00:00:00Z

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1913000
https://nvd.nist.gov/vuln/detail/CVE-2024-10464
https://www.cve.org/CVERecord?id=CVE-2024-10464
https://www.mozilla.org/security/advisories/mfsa2024-55/
https://www.mozilla.org/security/advisories/mfsa2024-56/
https://www.mozilla.org/security/advisories/mfsa2024-58/
https://www.mozilla.org/security/advisories/mfsa2024-59/

History

Mon, 04 Nov 2024 14:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:mozilla:firefox:::::-:::* cpe:2.3:a:mozilla:firefox:::::esr:::* cpe:2.3:a:mozilla:thunderbird::::::::

Fri, 01 Nov 2024 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat enterprise Linux Redhat rhel Aus Redhat rhel E4s Redhat rhel Els Redhat rhel Eus Redhat rhel Tus
CPEs		cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:9 cpe:/a:redhat:rhel_aus:8.2 cpe:/a:redhat:rhel_aus:8.4 cpe:/a:redhat:rhel_aus:8.6 cpe:/a:redhat:rhel_e4s:8.4 cpe:/a:redhat:rhel_e4s:8.6 cpe:/a:redhat:rhel_e4s:9.0 cpe:/a:redhat:rhel_eus:8.8 cpe:/a:redhat:rhel_eus:9.2 cpe:/a:redhat:rhel_tus:8.4 cpe:/a:redhat:rhel_tus:8.6 cpe:/o:redhat:rhel_els:7
Vendors & Products		Redhat Redhat enterprise Linux Redhat rhel Aus Redhat rhel E4s Redhat rhel Els Redhat rhel Eus Redhat rhel Tus

Wed, 30 Oct 2024 01:45:00 +0000

Type	Values Removed	Values Added
Title		firefox: thunderbird: History interface could have been used to cause a Denial of Service condition in the browser
Weaknesses		CWE-799
References		https://nvd.nist.gov/vuln/detail/CVE-2024-10464 https://www.cve.org/CVERecord?id=CVE-2024-10464
Metrics	threat_severity `None`	threat_severity `Low`

Tue, 29 Oct 2024 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox Mozilla firefox Esr Mozilla thunderbird
Weaknesses		CWE-125
CPEs		cpe:2.3:a:mozilla:firefox:-:::::::* cpe:2.3:a:mozilla:firefox_esr:::::::: cpe:2.3:a:mozilla:thunderbird:-:::::::*
Vendors & Products		Mozilla Mozilla firefox Mozilla firefox Esr Mozilla thunderbird
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 29 Oct 2024 12:30:00 +0000

Type	Values Removed	Values Added
Description		Repeated writes to history interface attributes could have been used to cause a Denial of Service condition in the browser. This was addressed by introducing rate-limiting to this API. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1913000 https://www.mozilla.org/security/advisories/mfsa2024-55/ https://www.mozilla.org/security/advisories/mfsa2024-56/ https://www.mozilla.org/security/advisories/mfsa2024-58/ https://www.mozilla.org/security/advisories/mfsa2024-59/

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2024-10-29T12:19:14.864Z

Updated: 2024-10-29T14:51:11.731Z

Reserved: 2024-10-28T14:23:18.509Z

Link: CVE-2024-10464

Vulnrichment

Updated: 2024-10-29T14:51:00.731Z

NVD

Status : Analyzed

Published: 2024-10-29T13:15:04.120

Modified: 2024-11-04T13:30:23.513

Link: CVE-2024-10464

Redhat

Severity : Low

Publid Date: 2024-10-29T12:19:14Z

Links: CVE-2024-10464 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-10464", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2024-10-28T14:23:18.509Z", "datePublished": "2024-10-29T12:19:14.864Z", "dateUpdated": "2024-10-29T14:51:11.731Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"lessThan": "132", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Firefox ESR", "vendor": "Mozilla", "versions": [{"lessThan": "128.4", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "128.4", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "132", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Repeated writes to history interface attributes could have been used to cause a Denial of Service condition in the browser. This was addressed by introducing rate-limiting to this API. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Repeated writes to history interface attributes could have been used to cause a Denial of Service condition in the browser. This was addressed by introducing rate-limiting to this API. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132."}]}], "problemTypes": [{"descriptions": [{"description": "History interface could have been used to cause a Denial of Service condition in the browser", "lang": "en", "type": "text"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1913000"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-55/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-56/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-58/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-59/"}], "credits": [{"lang": "en", "value": "Andrei Enache"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2024-10-29T12:19:14.864Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-125", "lang": "en", "description": "CWE-125 Out-of-bounds Read"}]}], "affected": [{"vendor": "mozilla", "product": "firefox", "cpes": ["cpe:2.3:a:mozilla:firefox:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "132", "versionType": "custom"}]}, {"vendor": "mozilla", "product": "firefox_esr", "cpes": ["cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "128.4", "versionType": "custom"}]}, {"vendor": "mozilla", "product": "thunderbird", "cpes": ["cpe:2.3:a:mozilla:thunderbird:-:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "128.4", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "132", "versionType": "custom"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-10-29T14:48:10.873588Z", "id": "CVE-2024-10464", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-29T14:51:11.731Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-10464", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-29T14:48:10.873588Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:mozilla:firefox:-:*:*:*:*:*:*:*"], "vendor": "mozilla", "product": "firefox", "versions": [{"status": "affected", "version": "0", "lessThan": "132", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*"], "vendor": "mozilla", "product": "firefox_esr", "versions": [{"status": "affected", "version": "0", "lessThan": "128.4", "versionType": "custom"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:mozilla:thunderbird:-:*:*:*:*:*:*:*"], "vendor": "mozilla", "product": "thunderbird", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "128.4"}, {"status": "affected", "version": "0", "lessThan": "132", "versionType": "custom"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-29T14:51:00.731Z"}}], "cna": {"credits": [{"lang": "en", "value": "Andrei Enache"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "132", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Firefox ESR", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "128.4", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "128.4", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "132", "versionType": "custom"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1913000"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-55/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-56/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-58/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2024-59/"}], "descriptions": [{"lang": "en", "value": "Repeated writes to history interface attributes could have been used to cause a Denial of Service condition in the browser. This was addressed by introducing rate-limiting to this API. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.", "supportingMedia": [{"type": "text/html", "value": "Repeated writes to history interface attributes could have been used to cause a Denial of Service condition in the browser. This was addressed by introducing rate-limiting to this API. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "History interface could have been used to cause a Denial of Service condition in the browser"}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2024-10-29T12:19:14.864Z"}}}, "cveMetadata": {"cveId": "CVE-2024-10464", "state": "PUBLISHED", "dateUpdated": "2024-10-29T14:51:11.731Z", "dateReserved": "2024-10-28T14:23:18.509Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2024-10-29T12:19:14.864Z", "assignerShortName": "mozilla"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "2E3F4DEC-8BEF-4DDD-BE8E-306B973FB76E", "versionEndExcluding": "128.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "12C78A13-6A39-4F36-8534-D8ECE46E0042", "versionEndExcluding": "132.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "D120292A-201C-4965-A05E-850214B0376A", "versionEndExcluding": "128.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "F2C6BA33-28F1-4F1F-ADFE-B5F9A04E6657", "versionEndExcluding": "132.0", "versionStartIncluding": "129.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Repeated writes to history interface attributes could have been used to cause a Denial of Service condition in the browser. This was addressed by introducing rate-limiting to this API. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132."}, {"lang": "es", "value": " Las escrituras repetidas en los atributos de la interfaz del historial podr\u00edan haberse utilizado para provocar una condici\u00f3n de denegaci\u00f3n de servicio en el navegador. Esto se solucion\u00f3 introduciendo una limitaci\u00f3n de velocidad en esta API. Esta vulnerabilidad afecta a Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4 y Thunderbird < 132."}], "id": "CVE-2024-10464", "lastModified": "2024-11-04T13:30:23.513", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-10-29T13:15:04.120", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1913000"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2024-55/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2024-56/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2024-58/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2024-59/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-125"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:8727", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "firefox-0:128.4.0-1.el7_9", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2024-10-31T00:00:00Z"}, {"advisory": "RHSA-2024:8729", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:128.4.0-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-10-31T00:00:00Z"}, {"advisory": "RHSA-2024:8790", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:128.4.0-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:8724", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "firefox-0:128.4.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-10-31T00:00:00Z"}, {"advisory": "RHSA-2024:9016", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "thunderbird-0:128.4.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-11-07T00:00:00Z"}, {"advisory": "RHSA-2024:8723", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "firefox-0:128.4.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-10-31T00:00:00Z"}, {"advisory": "RHSA-2024:9015", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "thunderbird-0:128.4.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-11-07T00:00:00Z"}, {"advisory": "RHSA-2024:8723", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "firefox-0:128.4.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-10-31T00:00:00Z"}, {"advisory": "RHSA-2024:9015", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "thunderbird-0:128.4.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-11-07T00:00:00Z"}, {"advisory": "RHSA-2024:8723", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "firefox-0:128.4.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-10-31T00:00:00Z"}, {"advisory": "RHSA-2024:9015", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "thunderbird-0:128.4.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-11-07T00:00:00Z"}, {"advisory": "RHSA-2024:8725", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "firefox-0:128.4.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-10-31T00:00:00Z"}, {"advisory": "RHSA-2024:9017", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "thunderbird-0:128.4.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-11-07T00:00:00Z"}, {"advisory": "RHSA-2024:8725", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "firefox-0:128.4.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-10-31T00:00:00Z"}, {"advisory": "RHSA-2024:9017", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "thunderbird-0:128.4.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-11-07T00:00:00Z"}, {"advisory": "RHSA-2024:8725", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "firefox-0:128.4.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-10-31T00:00:00Z"}, {"advisory": "RHSA-2024:9017", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "thunderbird-0:128.4.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-11-07T00:00:00Z"}, {"advisory": "RHSA-2024:8722", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "firefox-0:128.4.0-1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-10-31T00:00:00Z"}, {"advisory": "RHSA-2024:9018", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "thunderbird-0:128.4.0-1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-11-07T00:00:00Z"}, {"advisory": "RHSA-2024:8726", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "firefox-0:128.4.0-1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-10-31T00:00:00Z"}, {"advisory": "RHSA-2024:8793", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "thunderbird-0:128.4.0-1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-04T00:00:00Z"}, {"advisory": "RHSA-2024:9552", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "thunderbird-0:128.4.0-1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-13T00:00:00Z"}, {"advisory": "RHSA-2024:9554", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "firefox-0:128.4.0-1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-13T00:00:00Z"}, {"advisory": "RHSA-2024:8721", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "firefox-0:128.4.0-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-10-31T00:00:00Z"}, {"advisory": "RHSA-2024:9019", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "thunderbird-0:128.4.0-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-11-07T00:00:00Z"}, {"advisory": "RHSA-2024:8720", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "firefox-0:128.4.0-1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-10-31T00:00:00Z"}, {"advisory": "RHSA-2024:8728", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "thunderbird-0:128.4.0-1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-10-31T00:00:00Z"}], "bugzilla": {"description": "firefox: thunderbird: History interface could have been used to cause a Denial of Service condition in the browser", "id": "2322424", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2322424"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-799", "details": ["Repeated writes to history interface attributes could have been used to cause a Denial of Service condition in the browser. This was addressed by introducing rate-limiting to this API. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132.", "The Mozilla Foundation's Security Advisory: Repeated writes to history interface attributes could be used to cause a Denial of Service condition in the browser. This issue was addressed by introducing rate-limiting to this API."], "name": "CVE-2024-10464", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "firefox-flatpak-container", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "thunderbird-flatpak-container", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-10-29T12:19:14Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-10464\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-10464\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1913000\nhttps://www.mozilla.org/security/advisories/mfsa2024-55/\nhttps://www.mozilla.org/security/advisories/mfsa2024-56/\nhttps://www.mozilla.org/security/advisories/mfsa2024-58/\nhttps://www.mozilla.org/security/advisories/mfsa2024-59/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Low"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object